Privacy Policy
This policy describes how ("R-Flow") collects, uses, and protects your personal data, in compliance with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and applicable US state privacy laws (CCPA, etc.).
1. Data controller
- R-Flow,
- Contact:
2. Data collected
R-Flow collects only data strictly necessary to provide its services. No sensitive data (ethnic origin, political opinions, health data, etc.) is collected.
2.1 At the time of order
- First and last name
- Email address
- Postal billing and shipping address
- Phone number (for delivery)
- Order history
Payment is processed by Shopify Payments. R-Flow does not collect or store any banking data.
2.2 During browsing
R-Flow uses Cloudflare Web Analytics, a measurement tool without cookies and without unique identifiers. No individual profiling is performed. Aggregated data collected includes:
- Pages visited (URL, title)
- Referrer (previous site)
- Country of origin (derived from IP, not stored)
- Device and browser type (generic user-agent)
No third-party tracker (Google Analytics, Facebook Pixel, etc.) is used.
3. Purposes of processing
Your data is used to:
- Process and ship your orders (contract performance);
- Send you transactional emails (confirmation, shipment, tracking);
- Reply to your customer service requests;
- Comply with our legal obligations (invoicing, accounting, warranty);
- Measure site audience anonymously and aggregately.
No data is used for marketing prospection without your prior explicit consent (opt-in).
4. Legal basis
- Contract performance (art. 6.1.b GDPR): order processing, delivery, warranty;
- Legal obligation (art. 6.1.c GDPR): invoice retention, accounting;
- Legitimate interest (art. 6.1.f GDPR): anonymous audience measurement, site security.
5. Data recipients
Your data is accessible only to authorized personnel within R-Flow, and to its technical sub-processors strictly within their missions:
- Shopify Inc.: order and payment processing (Canada / EU)
- Cloudflare, Inc.: hosting and audience measurement (United States, EU Standard Contractual Clauses)
- Carriers:
No data is sold, rented, or shared with third parties for commercial purposes.
6. International transfers
Some sub-processors (Shopify, Cloudflare) may process your data outside the European Union. These transfers are framed by appropriate safeguards: European Commission adequacy decisions or Standard Contractual Clauses.
7. Retention period
- Order data: 10 years (French accounting and tax obligation);
- Customer account data: until account deletion or 3 years of inactivity;
- Anonymous audience data: 6 months maximum.
8. Your rights
Under the GDPR, you have the following rights:
- Access: obtain a copy of data concerning you;
- Rectification: correct inaccurate or incomplete data;
- Erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations;
- Objection: object to processing for legitimate reasons;
- Restriction: request temporary suspension of processing;
- Portability: receive your data in a structured, machine-readable format;
- Post-mortem directives: determine the fate of your data after death (French law).
For US California residents (CCPA), you have additional rights: right to know what categories of data are collected, right to opt-out of sale (we don't sell data), right to non-discrimination.
To exercise these rights: (response within 30 days).
If unsatisfied, you may lodge a complaint with the relevant supervisory authority: CNIL (France): cnil.fr/en/plaintes, ICO (UK): ico.org.uk/concerns/.
9. Security
- TLS/HTTPS encryption across the entire site;
- Payment processed by PCI-DSS Level 1 certified provider;
- Data access restricted to authorized personnel;
- Access logging and monitoring.
10. Minors
The site rflowsystems.com is intended for an adult audience. R-Flow does not knowingly collect personal data from minors under 16 (GDPR) or 13 (US COPPA). Any purchase by a minor must be made under the responsibility of a parent or legal guardian. If you believe a minor has shared personal data with us without authorization, contact us: we will delete it without delay.
11. IP address
Your IP address is never stored by R-Flow. Cloudflare processes it transiently for strictly technical purposes (security, fraud prevention, geographic caching) and only retains aggregated and anonymized data. No correlation between your IP and your identity is performed by R-Flow.
12. Data breach notification
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, R-Flow commits to:
- Notify the supervisory authority within 72 hours after becoming aware (GDPR art. 33);
- Inform you within the shortest delay via the email address provided at order (GDPR art. 34).
13. Cookies
No advertising tracking cookies or behavioral analytics are used. See the Cookie Notice.
14. Changes
This policy may be updated to reflect legal, technical, or functional changes. The last update date appears at the top of this page. Substantial modifications will be notified by email to registered customers.